The law took effect on May 25, 2018. The purpose of the law is to give European citizens control over their data, and to simplify regulations for sites and online businesses in the EU by unifying the regulation surrounding data protection in the member countries. It applies to all sites and online businesses storing information about citizens of the European Union – not just websites based within the union.

GDPR is complex, and since violations against the regulation come with severe sanctions, companies that are looking to comply with GDPR should consult with lawyers about what steps are needed. Companies found to be in violation with GDPR can be fined up to €20 million or 4% of annual turnover, whichever is greater. The hourly rate of a good lawyer seems pretty affordable in comparison.

The following is a short summary of what GDPR entails:

According to GDPR, personal data is all information associated with a visitor: name, photo, email address, bank details, social media, location information, medical information, IP address, and so on.

You may not collect or process personal information without your visitor’s consent. You must inform visitors, before saving any personal information whatsoever, of how the data will be saved and what it will be used for.

You must be able to provide a copy of the information you have saved about your visitor. You must also be able to explain what you have used the data for.

Your visitors have the right to access all their personal information. You must also be able to inform them about how the information will be used by you after it has been collected.

You must be able to delete all information about a visitor at their request. If your visitor wants to revoke the consent he or she has given you, they are entitled to have their data deleted.

You must be able to provide your visitor with all the information stored. You must therefore be able to deliver all saved information if a visitor wants to move the information to another provider.

You must be able to let visitors change all information stored about them at their request.

The visitor may request that his or her data can’t be used. You are still allowed to keep the information, but you are not allowed to use it.

If there is a data violation of any kind involving your visitors’ personal information, you must notify appropriate government agencies of the breach within 72 hours. You must also inform any visitors affected by the breach.

WordPress version 4.9.6, released on May 17, 2018, included a number of privacy updates that make it easier to create GDPR compliant WordPress websites. You can find a full list of the added features in the release notes for WordPress 4.9.6.